Why we can’t delay safeguarding the IoT in critical national infrastructure

It’s crucial to keep power grid security airtight.

When discussing Internet of Things (IoT) security, it is vital to first recognise the increasing extent to which our daily lives are reliant on these entirely connected systems. Integrating IoT devices within mission-critical industries means that, while gaining efficiencies, we create a breeding ground for new points of attack. These networks are of vital importance, says Alan Grau, VP of IoT, Embedded Solutions at Sectigo; protection of the gate becomes a priority.

While even the layman citizen will realise the crucial nature of keeping the power grid or the water supply airtight, one element is frequently missing from the conversation, the central role of securing IoT devices including authentication using digital certificates.

There is now an imperative to authenticate all things connected and certificates are at the forefront of overcoming the vulnerabilities within our critical national infrastructure (CNI). And time is of the essence. The Ponemon Institute has revealed that 90% of CNI providers are already battling IoT attacks. Likely, the other 10% have not yet recognised they are also being attacked.

As an increasing number of distributed denial of service (DDoS) and ransomware attacks continue to target unsecured devices, organisations need to wake up and address the inherent risks posed by unsecured endpoints across ecosystems from servers to vehicles to power grids.

A growing number of governments have recently issued regulatory requirements for consumer device security, but the measures are far from global; nor are they comprehensive. It’s up to everyone in the ecosystem, from original equipment makers (OEMs) to end user organisations, to build in and adopt authentication technology that safeguards our CNI.

Keeping the healthcare industry secure

The healthcare sector faces the monumental challenge of handling multitudes of sensitive data. Whether it is managing intellectual property, confidential Personal Health Information (PHI) or the configuration of a connected device; data is justifiably the health sector’s most valuable asset and subsequently one of the most complicated to protect.

Any system or device that holds or transmits high-value patient, research, or organisational data is at risk. The threats, which can originate from both internal and external sources, now run the gamut from malware, ransomware, IoT Botnets and theft to phishing attempts, business email compromise (BEC), extortion, and large-scale data breaches.

Unfortunately, many healthcare organisations remain insufficiently protected. Most do not have the high level of data encryption required to secure both data in motion and data at rest. Many still do not make full use of the benefits that digital identity can bring across a variety of use cases.

Perhaps even more concerning is the often-overlooked risk posed by unsecured “things” in the sector. Most healthcare organisations with emerging business models that depend on the IoT often fail to recognise that their connected devices (biosensors for patient monitoring, wearables for telemedicine, pacemakers, pumps, and the like) represent a significant security risk.

The increasing digitisation of the patient experience, coupled with a growing reliance on data (including credit card payment data), means it’s imperative for organisations in this sector to continually fortify their security capabilities and close potential vulnerabilities to stay ahead of threats.

Securing every vehicle

The arrival of autonomous vehicles will ramp up the potential threat to property and life brought on by an IoT attack. In the not-so-distant future, delivery trucks, buses, taxis, and personal vehicles will be autonomous, offering rich targets for cyber attackers. Autonomous vehicle manufacturers state that the IoT technology that will allow these vehicles to talk directly to each other and to a city’s traffic system will result in a more efficient and safe travel system.

However, this communication requires a perfect, untampered-with flow of information between vehicles to ensure their close coordination while possibly traveling at high speeds, just inches apart.

According to the 2019 Consumer Watchdog report ‘Kill Switch’, more than two-thirds of new cars on American roads by 2022 will have online connections to their safety-critical system, putting them at risk of deadly hacks to vehicles’ “head” system, used primarily for infotainment, GPS navigation, and other features.

What happens if one of these vehicles gets hacked, crippling its communication, so that it cannot coordinate with other vehicles? At a minimum, the hacker can cause traffic to get tangled. At worst, the bad actor could cause serious accidents, possibly resulting in injury and loss of life for the passengers and/or nearby pedestrians. Another real threat is a massive ransomware attack against vehicles. Security is clearly imperative for connected cars.

Protecting the power grid

The benefits of IoT in the energy sector are clear. The massive collection of sensors and control devices ensure the reliability of the supply and can prevent outages by controlling the flux of power at any given moment. The modernisation of the system also means increased energy efficiency and less need for human intervention, a cost-saving advantage for organisations. In addition, by retrieving a rich supply of data, the smart grid can create predictive maintenance models, increasing overall safety.

Alan Grau

There is of course a flip side to this automation and collective intelligence. Myriad cyberattacks and white hat incidents throughout the past decade underscore both the vulnerability of the energy industry and its high value as a target. Cyber criminals understand this and continue to actively find ways to implant malicious code in foreign grids in order to exploit it when it’s time to strike. One such example is Russia’s test attack on Ukraine’s electrical grid, confirming the country’s ability to turn out the lights at will.

Given the potentially catastrophic fallout, it is now more important than ever for the energy industry to make securing this increasingly widespread technology a major priority.

Designing a solution from the manufacturing floor

The solution is not only in the hands of legislators, but also device manufacturers and other parties involved in the supply chain. Identity management must be built-in by design, automated to avoid error or sabotage, and regularly updated throughout the entire lifecycle of each device.

Identity authentication tools are an essential safeguard for protecting critical infrastructure and its many devices. Digital certificates, secure boot and secure code updates, embedded firewalls, and other technologies enable healthcare, transportation, energy, and other critical enterprises to detect and block unauthorised connections before they enter the network, thereby keeping the gate closed to cyber criminals from the outset.

Enterprise and embedded IoT security are no longer solely the concern of technology vendors or grid operators. IoT identity has become a matter of national interest.

The author is Alan Grau, VP of IoT, embedded solutions at Sectigo

About the author

Alan Grau is VP of IoT, Embedded Solutions at Sectigo, a global provider of automated digital identity management and web security solutions. Alan joined Sectigo in May 2019 as part of the company’s acquisition of Icon Labs, a provider of security software for IoT and embedded devices, where he was CTO and co-founder. 

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Snow Software study uncovers the realities vs. the promises of cloud

Posted on: October 26, 2021

26 October, 2021 –Snow Software, the global provider of technology intelligence, unveiled findings from its most recent survey, based on the input from more than 500 IT leaders from organisations with over 500 employees in the United States and United Kingdom to determine the current state of cloud infrastructure.

Read more

CloudM announces Archive feature which save businesses time and money while meeting compliance demands

Posted on: October 26, 2021

CloudM, a SaaS data management platform, has announced the launch of Archive, a new feature which allows users to easily, automatically, and safely store and recover user data, helping businesses to remain compliant without facing the mounting user license fees associated with traditional archiving and ediscovery solutions.

Read more